b'                               SOCIAL SECURITY\n                                        November 9, 2009\n\n\nThe Honorable Michael J. Astrue\nCommissioner\n\n\nThis letter transmits the Independent Auditor\xe2\x80\x99s Report on the audit of the Social Security\nAdministration\xe2\x80\x99s (SSA) Fiscal Year (FY) 2009 financial statements. The Report includes the\nOffice of the Inspector General\xe2\x80\x99s (OIG) Opinion on the Financial Statements, Report on\nManagement\'s Assertion About the Effectiveness of Internal Control, and Report on Compliance\nand Other Matters.\n\nObjective of a Financial Statement Audit\n\nThe objective of a financial statement audit is to determine whether the financial statements are\nfree of material misstatement. An audit includes examining, on a test basis, evidence supporting\nthe amounts and disclosures in the financial statements. An audit also includes assessing the\naccounting principles used and significant estimates made by management as well as evaluating\nthe overall financial statement presentation.\n\nThe OIG\xe2\x80\x99s audit was conducted in accordance with auditing standards generally accepted in the\nUnited States; Government Auditing Standards issued by the Comptroller General of the United\nStates; and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements\nfor Federal Financial Statements. The audit included obtaining an understanding of the internal\ncontrol, testing and evaluating the design and operating effectiveness of the internal control, and\nperforming such other procedures as considered necessary under the circumstances. Because of\ninherent limitations in any internal control, misstatements because of error or fraud may occur\nand not be detected. The risk of fraud is inherent to many of SSA\xe2\x80\x99s programs and operations,\nespecially within the Supplemental Security Income program. In our opinion, individuals\noutside the organization perpetrate most of the fraud against SSA.\n\nAudit of Financial Statements, Effectiveness of Internal Control, and Compliance with\nLaws and Regulations\n\nThe Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576), as amended, requires that SSA\'s\nInspector General (IG) or an independent external auditor, as determined by the IG, audit SSA\'s\nfinancial statements in accordance with applicable standards. For comparative purposes, under a\ncontract monitored by the OIG, PricewaterhourseCoopers LLP (PwC), an independent certified\npublic accounting firm, audited SSA\xe2\x80\x99s FY 2008 statements and issued an unqualified opinion on\nthose statements. The OIG audited SSA\xe2\x80\x99s FY 2009 financial statements and OIG issued an\n\n\n\n\n            SOCIAL SECURITY ADMINISTRATION               BALTIMORE MD 21235-0001\n\x0cPage 2 - The Honorable Michael J. Astrue\n\n\nunqualified opinion on those financial statements. The OIG also reported that SSA\'s assertion\nthat its internal control over financial reporting was operating effectively as of\nSeptember 30, 2009 was fairly stated, in all material respects, based on criteria established under\nOMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control.\n\nThe OIG did identify a significant deficiency related to protecting information. In general, SSA\nneeds to establish and implement a policy to periodically reassess the content of security access\nrights to ensure that employees and contractors are given least privilege access to perform their\njob.\n\nThe OIG identified no reportable instances of noncompliance with the laws, regulations, or other\nmatters tested.\n\n\n\n\n                                                     Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                                     Inspector General\n\nEnclosure\n\x0c                                                                                                           Enclosure\n\n\n\n\n                               OF F I CE OF TH E I N S P E CTOR GE N E R A L\n                          INDEPENDENT AUDITOR\xe2\x80\x99S REPORT\n\nNovember 9, 2009\nThe Honorable Michael J. Astrue\nCommissioner\n\n\nIn accordance with the Chief Financial Officers (CFO) Act of 1990 (Public Law 101-576), as amended, we are\nresponsible for conducting the financial statement audit of the Social Security Administration (SSA). In our audit of\nSSA for Fiscal Year 2009, we found the following.\n\nThe consolidated balance sheets of SSA as of September 30, 2009 and 2008 and the related consolidated statements\nof net cost and of changes in net position and the combined statements of budgetary resources for the years then\nended and the statement of social insurance as of January 1, 2009, 2008, 2007, and 2006 are presented fairly, in all\nmaterial respects, in conformity with accounting principles generally accepted in the United States of America.\n\nManagement fairly stated that SSA\xe2\x80\x99s internal control over financial reporting was operating effectively as of\nSeptember 30, 2009.\n\nSSA\xe2\x80\x99s financial management systems substantially complied with the requirements of the Federal Financial\nManagement Improvement Act of 1996 (FFMIA).\n\nNo reportable instances of noncompliance with laws, regulations, or other matters tested.\n\nThe following sections discuss in more detail (1) these conclusions; (2) our conclusions on Management\xe2\x80\x99s\nDiscussion and Analysis and other supplementary information; (3) our audit objectives, scope, and methodology;\nand (4) Agency comments and our evaluation.\n\nOPINION ON FINANCIAL STATEMENTS\nWe have audited the accompanying consolidated balance sheets of SSA as of September 30, 2009, and the related\nconsolidated statements of net cost and of changes in net position, and the combined statement of budgetary\nresources for the year then ended and the statement of social insurance as of January 1, 2009. These financial\nstatements are the responsibility of SSA\xe2\x80\x99s management. Our responsibility is to express an opinion on these\nfinancial statements based on our audits.\n\nThe consolidated balance sheets of SSA as of September 30, 2008, and the related consolidated statements of net\ncost and of changes in net position, and the combined budgetary resources for the year ended, and the statement of\nsocial insurance as of January 1, 2008, 2007, and 2006 were audited by other auditors whose report dated\nNovember 7, 2008 expressed an unqualified opinion on those statements. Their report thereon has been furnished to\nus, and our opinion expressed herein, insofar as it relates to the amounts as of and for the year ended\nSeptember 30, 2008, is based solely on the report of the other auditors.\nWe conducted our audit in accordance with auditing standards generally accepted in the United States of America;\nthe standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller\nGeneral of the United States; and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit\nRequirements for Federal Financial Statements. Those standards require that we plan and perform the audit to\nobtain reasonable assurance about whether the financial statements are free of material misstatement. An audit\nincludes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements.\n\x0cPage 2 - The Honorable Michael J. Astrue\n\nAn audit also includes assessing the accounting principles used and significant estimates made by management as\nwell as evaluating the overall financial statement presentation. We believe that our audit and the report of other\nauditors provide a reasonable basis for our opinion.\n\nIn our opinion, based on our audit and the prior year audit reports of other auditors, the financial statements referred\nto above and appearing on pages 92 through 123 of this Performance and Accountability Report (PAR), present\nfairly, in all material respects, the financial position of SSA as of September 30, 2009 and 2008, and its net cost of\noperations, changes in net position, budgetary resources for the years then ended, and the financial condition of its\nsocial insurance program as of January 1, 2009, January 1, 2008, January 1, 2007, and January 1, 2006, in\nconformity with accounting principles generally accepted in the United States of America.\n\nOur audit was conducted for the purpose of forming an opinion on the financial statements of SSA taken as a whole.\nThe additional information presented on the statement of social insurance as of January 1, 2009, January 1, 2008,\nJanuary 1, 2007, and January 1, 2006 is not a required part of the financial statements and is presented for purposes\nof additional analysis. Such information has been subjected to the auditing procedures applied in the audit of the\nfinancial statements and, in our opinion, are fairly stated in all material respects in relation to the consolidated and\ncombined financial statements taken as a whole.\n\nAs discussed in Note 17 to the financial statements, the statements of social insurance present the actuarial present\nvalue of SSA\xe2\x80\x99s estimated future income to be received from, or on behalf of, the participants and estimated future\nexpenditures to be paid to, or on behalf of, participants during a projection period sufficient to illustrate long-term\nsustainability of the social insurance program. In preparing the statements of social insurance, management\nconsiders and selects assumptions and data that it believes provide a reasonable basis for the assertions in the\nstatements. However, because of the large number of factors that affect the statements of social insurance and the\nfact that future events and circumstances cannot be known with certainty, there will be differences between the\nestimates in the statements of social insurance and the actual results, and those differences may be material.\n\nREPORT ON MANAGEMENT\xe2\x80\x99S ASSERTION ABOUT THE EFFECTIVENESS OF\nINTERNAL CONTROL\nWe have also examined management\xe2\x80\x99s assertion, included in the accompanying Federal Managers\xe2\x80\x99 Financial\nIntegrity Act (FMFIA) Assurance Statement on page 41 of this PAR that SSA\xe2\x80\x99s internal control over financial\nreporting was operating effectively as of September 30, 2009 based on criteria established under OMB Circular A-\n123, Management\'s Responsibility for Internal Control. We did not test all internal controls relevant to the\noperating objectives broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982, such as those\ncontrols relevant to preparing statistical reports and ensuring efficient operations. SSA\xe2\x80\x99s management is responsible\nfor maintaining effective internal control over financial reporting. Our responsibility is to express an opinion on\nmanagement\xe2\x80\x99s assertion based on our examination.\n\nOur examination was conducted in accordance with attestation standards established by the American Institute of\nCertified Public Accountants (AICPA); the standards applicable to financial audits contained in Government\nAuditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin No. 07-04 and,\naccordingly, included obtaining an understanding of the internal control, testing and evaluating the design and\noperating effectiveness of the internal control, and performing such other procedures as we considered necessary in\nthe circumstances. We believe that our examination provides a reasonable basis for our opinion.\n\nBecause of inherent limitations in any internal control, misstatements due to error or fraud may occur and not be\ndetected. Also, projections of any evaluation of the internal control to future periods are subject to the risk that the\ninternal control may become inadequate because of changes in conditions, or that the degree of compliance with the\npolicies or procedures may deteriorate.\n\nIn our opinion, management\xe2\x80\x99s assertion that SSA\xe2\x80\x99s internal control over financial reporting was operating\neffectively as of September 30, 2009, is fairly stated, in all material respects, based on criteria established under\nOMB Circular A-123.\n\x0cPage 3 - The Honorable Michael J. Astrue\n\nHowever, our work identified the need to improve certain internal controls, as described below and in a separate,\nlimited-distribution management letter. As defined by OMB Bulletin No. 07-04 (updated via M-08-24), a\nsignificant deficiency is a deficiency in internal control, or a combination of deficiencies, that adversely affects the\nentity\xe2\x80\x99s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally\naccepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity\xe2\x80\x99s\nfinancial statements that is more than inconsequential will not be prevented or detected. A material weakness is a\nsignificant deficiency, or combination of significant deficiencies, that result in a more than remote likelihood that a\nmaterial misstatement of the financial statements will not be prevented or detected. This material weakness\ndefinition aligns with the same material weakness definition used by management to prepare the Agency\xe2\x80\x99s FMFIA\nassurance statement. This deficiency in internal control, although not considered to be a material weakness,\nrepresents a significant deficiency.\n\nSignificant Deficiency\n\nSSA Needs to Further Strengthen Controls to Protect Its Information\nSince FY 2005, the Agency has made significant progress in identifying and establishing a baseline for security\naccess or "profiles" to their financially significant mainframe applications, security administration tools, and\noperating systems. However, we note the need for continued progress regarding the process to periodically re-\ncertify this security access. Testing disclosed that a policy and procedure had not been established and consistently\nimplemented across the Agency to periodically reassess the content of security access to ensure that employees and\ncontractors are given least privilege access to perform their job responsibilities. During the audit, SSA management\nwas unable to consistently provide documented evidence that security accesses were reviewed by management to\ndetermine that the system datasets, transactions, and resources for mainframe hosted applications, including\nfinancially significant systems and related tools, were in-line with the concept of least privilege.\n\nSpecific disclosure of detailed information about these exposures might further compromise controls and are\ntherefore not provided within this report. Rather, the specific details of weaknesses noted are presented in a\nseparate, limited-distribution management letter.\n\nThe need for a strong security program to address threats to the security and integrity of SSA operations grows and\ntransforms as the Agency continues to progress with plans to increase dependence on the Internet and Web-based\napplications to serve the American public. Clear, continued, and measurable progress has been made toward the\nestablishment of a strong overall security program. However, to more fully protect SSA from risks associated with\nthe loss of data, loss of other resources, or compromised privacy of information associated with SSA\xe2\x80\x99s enumeration,\nearnings, retirement, and disability processes and programs, SSA management must further strengthen its security\nprogram. Specifically, further progress is needed in the area of access assignments to application systems data and\nprograms by SSA personnel, including the continual review of systems access via the periodic review of the content\nof profiles.\n\nRecommendations\nWe recommend that SSA management implement a policy that requires a periodic review of the content of the\nAgency\'s profiles. The scope of the policy should include profiles that are Agencywide and those locally owned by\ndivisions and/or components. The process should allow for and enforce a consistent approach for review and should\nrequire auditable artifacts to evidence the completion of these reviews. More specific recommendations focused on\nthe individual exposures we identified are included in a separate, limited-distribution management letter.\n\nWe noted other matters involving the internal control and its operation that we will communicate in a separate letter.\n\nREPORT ON COMPLIANCE AND OTHER MATTERS\nSSA management is responsible for compliance with laws and regulations. As part of obtaining reasonable\nassurance about whether the financial statements are free of material misstatement, we performed tests of the\ncompliance with laws and regulations including laws governing the use of budgetary authority, Government-wide\n\x0cPage 4 - The Honorable Michael J. Astrue\n\npolicies and laws identified in Appendix E of OMB Bulletin No. 07-04 and other laws and regulations,\nnoncompliance with which could have a direct and material effect on the financial statements. Under FFMIA, we\nare required to report whether SSA\xe2\x80\x99s financial management systems substantially comply with the Federal financial\nmanagement systems requirements, applicable Federal accounting standards, and the United States Government\nStandard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance with\nFFMIA, section 803(a), requirements.\n\nWe did not test compliance with all laws and regulations applicable to SSA. We limited our tests of compliance to\nthe provisions of laws and regulations cited in the preceding paragraph of this report. Providing an opinion on\ncompliance with those provisions was not an objective of our audit and, accordingly, we do not express such an\nopinion.\n\nThe results of our tests of compliance disclosed no instances of noncompliance with laws and regulations or other\nmatters that are required to be reported by Government Auditing Standards or OMB Bulletin No. 07-04 and no\ninstances of substantial noncompliance that are required to be reported under FFMIA.\n\nCONSISTENCY OF OTHER INFORMATION\nThe Management\xe2\x80\x99s Discussion and Analysis (MD&A) included on pages 5 through 44, and Required\nSupplementary Information (RSI) included on pages 1 and 124 through 144 of this PAR are not a required part of\nthe financial statements but are supplementary information required by the Federal Accounting Standards Advisory\nBoard and OMB Circular No. A-136, Financial Reporting Requirements. We have applied certain limited\nprocedures, which consisted principally of inquiries of management regarding the methods of measurement and\npresentation of the MD&A and RSI. We compared this information for consistency with the financial statements\nand discussed the methods of measurement and presentation with SSA officials. On the basis of this limited work,\nwe found no material inconsistencies with the financial statements; U.S. generally accepted accounting principles, or\nOMB guidance. However, we did not audit the information and express no opinion on it.\n\nOur audit was conducted for the purpose of forming an opinion on the financial statements of SSA taken as a whole.\nThe Schedule of Budgetary Resources, included on page 128 of this PAR, is not a required part of the financial\nstatements but is supplementary information required by OMB Circular No. A-136, Financial Reporting\nRequirements. This information and the consolidating and combining information included on pages 124 to 127 of\nthis PAR are presented for purposes of additional analysis and are not a required part of the financial statements.\nSuch information has been subjected to the auditing procedures applied in the audit of the financial statements and,\nin our opinion, are fairly stated in all material respects in relation to the financial statements taken as a whole.\n\nThe other accompanying information included on pages 2 through 4, 44 through 91, 145, 146, and 155 to the end of\nthis PAR, is presented for purposes of additional analysis and is not a required part of the financial statements. Such\ninformation has not been subjected to the auditing procedures applied in the audit of the financial statements and,\naccordingly, we express no opinion on it.\n\n                                          ***********************\n\nThis report is intended solely for the information and use of management and the Inspector\nGeneral of SSA, OMB, the Government Accountability Office, and Congress and is not intended\nto be and should not be used by anyone other than these specified parties. However, this report\nis a matter of public record, and its distribution is not limited.\n\n\n\n\n                                                       Steven L. Schaeffer, C.P.A.\n                                                       Assistant Inspector General for Audit\n\x0c'